@@ -550,57 +550,82 @@ func (r *IronicConductorReconciler) reconcileNormal(ctx context.Context, instanc
550550 //
551551 // check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
552552 //
553- ospSecret , hash , err := secret .GetSecret (ctx , helper , instance .Spec .Secret , instance .Namespace )
553+ // Associate to PasswordSelectors.Service field a password validator to
554+ // ensure pwd invalid detected patterns are rejected.
555+ validateFields := map [string ]secret.Validator {
556+ instance .Spec .PasswordSelectors .Service : secret.PasswordValidator {},
557+ }
558+ hash , ctrlResult , err := secret .VerifySecretFields (
559+ ctx ,
560+ types.NamespacedName {
561+ Namespace : instance .Namespace ,
562+ Name : instance .Spec .Secret ,
563+ },
564+ validateFields ,
565+ helper .GetClient (),
566+ time .Duration (10 )* time .Second ,
567+ )
554568 if err != nil {
555- if k8s_errors .IsNotFound (err ) {
556- // Since the OpenStack secret should have been manually created by the user and referenced in the spec,
557- // we treat this as a warning because it means that the service will not be able to start.
558- Log .Info (fmt .Sprintf ("OpenStack secret %s not found" , instance .Spec .Secret ))
559- instance .Status .Conditions .Set (condition .FalseCondition (
560- condition .InputReadyCondition ,
561- condition .ErrorReason ,
562- condition .SeverityWarning ,
563- condition .InputReadyWaitingMessage ))
564- return ctrl.Result {RequeueAfter : time .Second * 10 }, nil
565- }
566569 instance .Status .Conditions .Set (condition .FalseCondition (
567570 condition .InputReadyCondition ,
568571 condition .ErrorReason ,
569572 condition .SeverityWarning ,
570573 condition .InputReadyErrorMessage ,
571574 err .Error ()))
572- return ctrl.Result {}, err
575+ return ctrlResult , err
576+ } else if (ctrlResult != ctrl.Result {}) {
577+ // Since the service secret should have been manually created by the user and referenced in the spec,
578+ // we treat this as a warning because it means that the service will not be able to start.
579+ log .FromContext (ctx ).Info (fmt .Sprintf ("OpenStack secret %s not found" , instance .Spec .Secret ))
580+ instance .Status .Conditions .Set (condition .FalseCondition (
581+ condition .InputReadyCondition ,
582+ condition .ErrorReason ,
583+ condition .SeverityWarning ,
584+ condition .InputReadyWaitingMessage ))
585+ return ctrlResult , err
573586 }
574- configMapVars [ospSecret . Name ] = env .SetValue (hash )
587+ configMapVars [instance . Spec . Secret ] = env .SetValue (hash )
575588 // run check OpenStack secret - end
576589
577590 //
578591 // check for required TransportURL secret holding transport URL string
579592 //
580593 if instance .Spec .RPCTransport == "oslo" {
581- transportURLSecret , hash , err := secret .GetSecret (ctx , helper , instance .Spec .TransportURLSecret , instance .Namespace )
594+ // transportURLFields are not pure password fields. We do not associate a
595+ // password validator and we only verify that the entry exists in the
596+ // secret
597+ transportValidateFields := map [string ]secret.Validator {
598+ "transport_url" : secret.NoOpValidator {},
599+ }
600+ hash , ctrlResult , err = secret .VerifySecretFields (
601+ ctx ,
602+ types.NamespacedName {
603+ Namespace : instance .Namespace ,
604+ Name : instance .Spec .TransportURLSecret ,
605+ },
606+ transportValidateFields ,
607+ helper .GetClient (),
608+ time .Duration (10 )* time .Second ,
609+ )
610+ // NOTE: This should be moved to TransportURLSecretReadyCondition
582611 if err != nil {
583- if k8s_errors .IsNotFound (err ) {
584- // Since the TransportURL secret should have been previously automatically created by the parent
585- // Ironic CR and then referenced in this instance's spec, we treat this as a warning because it
586- // means that the service will not be able to start.
587- Log .Info (fmt .Sprintf ("TransportURL secret %s not found" , instance .Spec .TransportURLSecret ))
588- instance .Status .Conditions .Set (condition .FalseCondition (
589- condition .InputReadyCondition ,
590- condition .ErrorReason ,
591- condition .SeverityWarning ,
592- condition .InputReadyWaitingMessage ))
593- return ctrl.Result {RequeueAfter : time .Second * 10 }, nil
594- }
595612 instance .Status .Conditions .Set (condition .FalseCondition (
596613 condition .InputReadyCondition ,
597614 condition .ErrorReason ,
598615 condition .SeverityWarning ,
599616 condition .InputReadyErrorMessage ,
600617 err .Error ()))
601- return ctrl.Result {}, err
618+ return ctrlResult , err
619+ } else if (ctrlResult != ctrl.Result {}) {
620+ Log .Info (fmt .Sprintf ("TransportURL secret %s not found" , instance .Spec .TransportURLSecret ))
621+ instance .Status .Conditions .Set (condition .FalseCondition (
622+ condition .InputReadyCondition ,
623+ condition .RequestedReason ,
624+ condition .SeverityInfo ,
625+ condition .InputReadyWaitingMessage ))
626+ return ctrlResult , err
602627 }
603- configMapVars [transportURLSecret . Name ] = env .SetValue (hash )
628+ configMapVars [instance . Spec . TransportURLSecret ] = env .SetValue (hash )
604629 }
605630 // run check TransportURL secret - end
606631
@@ -772,7 +797,7 @@ func (r *IronicConductorReconciler) reconcileNormal(ctx context.Context, instanc
772797 time .Duration (5 )* time .Second ,
773798 )
774799
775- ctrlResult , err : =ss .CreateOrPatch (ctx , helper )
800+ ctrlResult , err = ss .CreateOrPatch (ctx , helper )
776801 if err != nil {
777802 instance .Status .Conditions .Set (condition .FalseCondition (
778803 condition .DeploymentReadyCondition ,
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments